TBSM 6.2: Configure SSO between DASH and Impact with a different Realm Name - getting error The principal 'uid=tbsmadmin,o=netcoolObjectServerRepository' is not authorized

As part of TBSM 6.2 installation, SSO can be configured between DASH and Impact.
If during the configuration of SSO between DASH and Impact, the default realm name (defaultWIMFileBasedRealm) was changed to something else (example: dashtest), then, although everything appears to be working fine with the SSO and console integration parts, there are problems when the tbsmadmin user is used to create a new page in DASH and by adding TBSM Datasource such as TBSM Topology.

Within this situation the following error is being displayed in SystemOut.log file:

com.ibm.websphere.wim.security.authz. AccessException
com.ibm.websphere.wim.security.authz. AccessException: CWWIM2008E The principal 'uid=tbsmadmin,o=netcoolObjectServerRepository' is not authorized to perform the option
'GET PersonAccount' on 'uid=tbsmadmin,o=netcoolObjectServerRepository'

If the realm name is being restored back to its default name e.g. defaultWIMFileBasedRealm and SSO steps are followed again, everything appears to be working correctly and the authorized error is not being generated.

1 reply

There are 2 possible solutions to keep the customize name you want for the Realm.

Solution 1:

via the WAS console delete all the role mappings and re-add them (administrative roles + audit roles (if this feature is enabled) +security role mappings)

Login to WAS as smadmin user -> Applications -> WebSphere Enterprise Applications -> select isc and click on it -> Select “Security role to user/groups mapping” -> Select all roles -> click on Map Users -> Search for the tbsmadmin user and add it to the mapping list -> Click ok and save the configuration.

Afterwards, go to “Users and Groups” -> Administrative user roles -> Remove tbsmadmin user as this was mapped by default with the initial realm name -> Re-add the administrative roles to this user -> Select all the required roles and tbsmadmin user -> Click Ok and save the configuration.

Then re-test the SSO and adding TBSM Topology as datasource for widgets -> everything seems to be working fine now, no “tbsmadmin user is not authorized” error anymore.

Solution 2:

The below 2 files can be manually edited to reflect the correct Realm name for tbsmadmin user and a server restart will be required to reflect the changes.